Quick introduction to reverse engineering for beginners
Quick introduction to reverse engineering for beginners
Quick introduction to reverse engineering for beginners
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
#include <br />
#include <br />
void main()<br />
{<br />
int handle;<br />
};<br />
We got:<br />
handle=open ("file", O_RDWR | O_CREAT);<br />
public main<br />
main proc near<br />
var_20 = dword ptr -20h<br />
var_1C = dword ptr -1Ch<br />
var_4 = dword ptr -4<br />
push ebp<br />
mov ebp, esp<br />
and esp, 0FFFFFFF0h<br />
sub esp, 20h<br />
mov [esp+20h+var_1C], 42h<br />
mov [esp+20h+var_20], offset aFile ; "file"<br />
call _open<br />
mov [esp+20h+var_4], eax<br />
leave<br />
retn<br />
main endp<br />
Let’s take a look in<strong>to</strong> open() function in libc.so.6 library, but there is only syscall calling:<br />
.text:000BE69B mov edx, [esp+4+mode] ; mode<br />
.text:000BE69F mov ecx, [esp+4+flags] ; flags<br />
.text:000BE6A3 mov ebx, [esp+4+filename] ; filename<br />
.text:000BE6A7 mov eax, 5<br />
.text:000BE6AC int 80h ; LINUX - sys_open<br />
So, open() bit fields are probably checked somewhere in Linux kernel.<br />
Of course, it is easily <strong>to</strong> download both Glibc and Linux kernel source code, but we are interesting <strong>to</strong><br />
understand the matter without it.<br />
So, as of Linux 2.6, when sys_open syscall is called, control eventually passed in<strong>to</strong> do_sys_open kernel<br />
function. From there — <strong>to</strong> do_filp_open() function (this function located in kernel source tree in the file<br />
fs/namei.c).<br />
Important note. Aside from usual passing arguments via stack, there are also method <strong>to</strong> pass some of<br />
them via registers. This is also called fastcall 2.5.3. This works faster, because CPU not needed <strong>to</strong> access a<br />
stack in memory <strong>to</strong> read argument values. GCC has option regparm 46 , and it’s possible <strong>to</strong> set a number of<br />
arguments which might be passed via registers.<br />
Linux 2.6 kernel compiled with -mregparm=3 option 47 48 .<br />
What it means <strong>to</strong> us, the first 3 arguments will be passed via EAX, EDX and ECX registers, the other ones<br />
via stack. Of course, if arguments number is less than 3, only part of registers will be used.<br />
46 http://ohse.de/uwe/articles/gcc-attributes.html#func-regparm<br />
47 http://kernelnewbies.org/Linux_2_6_20#head-042c62f290834eb1fe0a1942bbf5bb9a4accbc8f<br />
48 See also arch\x86\include\asm\calling.h file in kernel tree<br />
55